VYPR
Get started
← All vendors
Vendor

KDE

Sign in to watch

KDE is an international free software community that develops free and open-source software. As a central development hub, it provides tools and resources that enable collaborative work on its projects. Its products include the KDE Plasma graphical shell, KDE Frameworks, and the KDE Gear range of applications including Kate, digiKam, and Krita. Many KDE applications are cross-platform and can run on Unix and Unix-like operating systems as well as Microsoft Windows. KDE is legally represented by KDE e.V. based in Germany, which also owns the KDE trademarks and funds the project.

Founded 1996
Products
49
CVEs
163
Across products
1,158
Status
Private

Products

49

Recent CVEs

163
CVESevRiskCVSSEPSSKEVPublishedDescription
CVE-2017-8422Hig0.547.80.00May 17, 2017KDE kdelibs before 4.14.32 and KAuth before 5.34 allow local users to gain root privileges by spoofing a callerID and leveraging a privileged helper app.
CVE-2016-7967Hig0.538.10.00Dec 23, 2016KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. Since the generated html is executed in the local file security context by default access to remote and local URLs was enabled.
CVE-2017-5330Hig0.517.80.01Mar 27, 2017ark before 16.12.1 might allow remote attackers to execute arbitrary code via an executable in an archive, related to associated applications.
CVE-2006-2916Hig0.517.80.00Jun 15, 2006artswrapper in aRts, when running setuid root on Linux 2.6.0 or later versions, does not check the return value of the setuid function call, which allows local users to gain root privileges by causing setuid to fail, which prevents artsd from dropping privileges.
CVE-2017-9604Hig0.497.50.00Jun 13, 2017KDE kmail before 5.5.2 and messagelib before 5.5.2, as distributed in KDE Applications before 17.04.2, do not ensure that a plugin's sign/encrypt action occurs during use of the Send Later feature, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2005-1920Hig0.497.50.03Jul 26, 2005The (1) Kate and (2) Kwrite applications in KDE KDE 3.2.x through 3.4.0 do not properly set the same permissions on the backup file as were set on the original file, which could allow local users and possibly remote attackers to obtain sensitive information.
CVE-2016-7966Hig0.477.30.00Dec 23, 2016Through a malicious URL that contained a quote character it was possible to inject HTML code in KMail's plaintext viewer. Due to the parser used on the URL it was not possible to include the equal sign (=) or a space into the injected HTML, which greatly reduces the available HTML functionality. Although it is possible to include an HTML comment indicator to hide content.
CVE-2015-7543Hig0.467.00.00Jul 25, 2017aRts 1.5.10 and kdelibs3 3.5.10 and earlier do not properly create temporary directories, which allows local users to hijack the IPC by pre-creating the temporary directory.
CVE-2006-6811Med0.466.50.05Dec 29, 2006KsIRC 1.3.12 allows remote attackers to cause a denial of service (crash) via a long PRIVMSG string when connecting to an Internet Relay Chat (IRC) server, which causes an assertion failure and results in a NULL pointer dereference. NOTE: this issue was originally reported as a buffer overflow.
CVE-2004-0689Hig0.467.10.00Sep 28, 2004KDE before 3.3.0 does not properly handle when certain symbolic links point to "stale" locations, which could allow local users to create or truncate arbitrary files.
CVE-2026-41527Med0.456.90.00Apr 21, 2026KDE Kleopatra before 26.08.0 on Windows allows local users to obtain the privileges of a Kleopatra user, because there is an error in the mechanism (KUniqueService) for ensuring that only one instance is running.
CVE-2026-45184Med0.426.50.00May 9, 2026Kdenlive before 26.04.1 allows dangerous proxy parameters when an attacker-controlled project file is used.
CVE-2026-41526Med0.426.50.00Apr 28, 2026In KDE KCoreAddons before 6.25, KShell::quoteArgs is intended to safely quote arguments so that they can be passed to a shell command. This parsing does not adequately handle metacharacters, leading to an escape from the shell. All applications relying on this method in a security-critical path to handle user input are affected and could be exploited. In particular, because sendInput() sends a string to a terminal, a control character such as \x01 can be used during injection.
CVE-2026-41525Med0.426.50.00Apr 28, 2026KDE Dolphin before 25.12.3 allows applications in a Flatpak (or with AppArmor confinement) to open folders outside of the application sandbox without additional scrutiny. Dolphin's implementation of the FileManager1 protocol allows the path given to be any type of file, including scripts or executables. (By default, Dolphin will then prompt the user to determine if they want to launch a script or executable; however, the intended behavior is to block the attempted action, not present a consent prompt.)
CVE-2016-7968Med0.426.50.00Dec 23, 2016KMail since version 5.3.0 used a QWebEngine based viewer that had JavaScript enabled. HTML Mail contents were not sanitized for JavaScript and included code was executed.
CVE-2014-8878Med0.385.90.00Sep 28, 2017KDE KMail does not encrypt attachments in emails when "automatic encryption" is enabled, which allows remote attackers to obtain sensitive information by sniffing the network.
CVE-2017-6410Med0.365.50.00Mar 2, 2017kpac/script.cpp in KDE kio before 5.32 and kdelibs before 4.14.30 calls the PAC FindProxyForURL function with a full https URL (potentially including Basic Authentication credentials, a query string, or PATH_INFO), which allows remote attackers to obtain sensitive information via a crafted PAC file.
CVE-2016-7787Med0.324.90.01Dec 23, 2016A maliciously crafted command line for kdesu can result in the user only seeing part of the commands that will actually get executed as super user.
CVE-2025-32901Med0.284.30.00Dec 5, 2025In KDE Connect before 1.33.0 on Android, malicious device IDs (sent via broadcast UDP) could cause an application crash.
CVE-2025-32899Med0.284.30.00Dec 5, 2025In KDE Connect before 1.33.0 on Android, a packet can be crafted that causes two paired devices to unpair. Specifically, it is an invalid discovery packet sent over broadcast UDP.